I been reading a fair bit but struggling with test, problem is working on live Production boxes when no-one else is here.
It's easy to understand my network as a multi department VLAN (it is actually made up around 14 one or two man companies all on their own VLAN and subnet, to prevent hacking). e.g. 192.168.x.1 per company.
However need to add Mutlifunctional scanner printer has arisen, also some other devices. Started pulling my hair out with some of the advise on here, not easy too.
My WAN connection is actually our own Fixed IP, so that actual PFSense box is on the net, i have even got a domain DNS to it. So the firewall is busy!
I have thought about putting the printers/camera/devices on a subdomain http://webcam.buldingname.com port 80 and then maybe another http://telephoneadmin.buildingname.com port 80. Then our own photocopier which from what I have read is port 9100, however slightly worried about who can access it as it will be protected to Deptartment IDs. I want everyone to discover the printer 'somehow'. I have tried to do Port Forwards, not had much luck there and I have tried to setup 'Reverse Proxy' with Squid, not having much luck understanding it!
I can understand the routing of VLANs, done pretty well so far with that but as I am using DHCP servers on each interface and mutliple subnets, considering maybe to have ONE subnet and just rely on VLANs.
I have several systems to setup, thought Reverse Proxy would allow me to redirect all port traffic to that particular machine. This is how I am thinking.
Auto Discovery is usually done with broadcast or multicast packets. This does not traverse routing. I think there is a package or something that deals with relaying those. I would image that you would not want to do that though.
The idea about putting them on DNS names is a very good thing. I would use the DNS forwarder within pfsense to hand out the local IP of the WebCam, telephone admin, and printer. This way you don't have to worry about port reflection. Much easier to route than to relay broadcasts.
I don't think you reverse proxy with port 9100, but unless you are really set towards, I think there is a routing solution that would work more reliably. You don't have to do a port forward for internal traffic, but you would if you wanted to put that on the internet.
Hope that makes some sense.